October 3, 2023

Mozilla has released Firefox 115 to the stable channel with patches for a dozen vulnerabilities, including two high-severity use-after-free bugs.

The first hugh severity vulnerability tracked as CVE-2023-37201 is described as a use-after-free flaw in WebRTC certificate generation. An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS.

The second high-severity vulnerability, CVE-2023-37202, is described as a potential use-after-free issue from compartment mismatch in the open source JavaScript and WebAssembly engine SpiderMonkey. Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment, resulting in a use-after-free.


The latest version also addresses high-severity memory safety bugs that might have led to the execution of arbitrary code. The flaws tracked as CVE-2023-37211 and CVE-2023-37212.

Firefox 115 also includes patches for eight medium-severity vulnerabilities

  • CVE-2023-37203: Drag and Drop API may provide access to local system files
  • CVE-2023-37204: Fullscreen notification obscured via option element
  • CVE-2023-37205: URL spoofing in address bar using RTL characters
  • CVE-2023-37206: Insufficient validation of symlinks in the FileSystem API
  • CVE-2023-37207: Fullscreen notification obscured
  • CVE-2023-37208: Lack of warning when opening Diagcab files
  • CVE-2023-37209: Use-after-free in `NotifyOnHistoryReload`
  • CVE-2023-3482: Block all cookies bypass for local storage

Additional information on the resolved vulnerabilities can be found on Mozilla’s security advisories page.

Leave a Reply

%d bloggers like this: